This is a regression in 5.3.4. Initial discussion here: https://dev.lucee.org/t/status-of-csrf-functions-and-session-type/6083
We store a struct in the session scope and then build a CFC out of that struct on every request and stash it in the request scope. When a user logs in, we create the security object from their user object and then create the session memento from that in two lines of code:
This works in 5.3.2.
In 5.3.4 or 220.127.116.11, it throws an exception: Session scope does not support CSRF Tokens – but not, interestingly, on the line where we're storing anything in the session. The tag context shows that this is happening in the constructor of the security object that is being placed in the request scope - no interaction with the session (yet) at all. This is the line in question:
If we change the session type to J2EE, it works, but that introduces other issues and is not a desirable workaround for us. It looks like on LDEV-412, it was made possible to use CSRF functions with J2EE sessions (yay!) ... but now it's no longer possible to use them without J2EE sessions.